With the advent of USB devices and USB ports in our lives, one of the main security requirements has become careful attention to connection points that are capable of transferring data between devices. Actually, for this reason, in the Android OS from the earliest versions (from 2.0 exactly) there is an option to manually enable the device port in the mode of transmitting information with the connection object, i.e. with USB port. Without activating this function, the device only charges from USB, ignoring any (obvious) requests for information exchange from the second party.
But Kevin Butler and his information security research team at the University of Florida recently discovered an extremely elegant and yet quite dangerous way to attack user devices via a USB port. In this case, the port itself acts for the observer only as a power source and can be placed in any public or not very public place, for example, on an infected PC, in a cafe or a USB device charging point at the airport. For an attack, one condition must be met in addition to access to data exchange with the charging port on the part of the attacker: the smartphone screen leaves the owner’s field of view (so that he does not notice that the device has begun to “live its own life”).
In this case, the screen lock password is bypassed with one short command, which gives the attacker access to the main screen of the smartphone.
According to a report by Butler and his team, an attack on smartphones can ingeniously use undocumented AT commands to remotely control the smartphone screen, which technically excludes various protective functions of the OS from third-party interference. In fact, Butler and his team have found a way to create a "Ghost User" by completely fooling existing Android security features and completely simulating screen touches using low-level AT commands. Samsung and LG devices are susceptible to attack; it was on the devices of these manufacturers that laboratory experiments were carried out.
This type of attack vector has long been known to information security specialists. The first reports that a device connected via USB could become the target of an attack by cybercriminals date back to 2011-2013. For example, then Kaspersky Lab specialists warned users that connecting any USB device implied the exchange of identification codes between the user’s device and peripherals. We also talked about the use of this attack vector in our article about deception and hacking of Apple devices and their new USB Restructured feature.
But while people are accustomed to dealing with obvious attacks on the OS itself, the use of low-level AT commands has not yet been widely used. Butler and his team recorded an entire video in which they demonstrate how to remotely control a user's smartphone under the guise of interacting with the screen. This attack is simple in that the initial exchange of identification data allows one to determine the device type, model, and installed OS. And then it’s a matter of preliminary preparation for “blind” orientation. This is what it looks like in the console from the attacker’s side and how a device attacked in this way behaves:
How does this attack threaten users?
In fact, the ability to use AT commands to gain access to the screen while pretending to be a real person gives attackers complete control over the device. This means that through a seemingly harmless USB charger from your smartphone they can send messages, make a call, sign you up for services, forward all your mail, log into your online bank and steal 3d-Secure codes, turn on your camera and take a photo, use any application on your smartphone, enable developer-mode, and even reset the device to factory default. Simply put, everything depends only on the imagination of the attacker.
Butler and the team previously reported their discovery, and LG released corresponding patches to close the vulnerability back in July. However, users are left with millions of devices that are never updated. Right now, a team of researchers is testing smartphones from other popular manufacturers for vulnerabilities, primarily Apple products, but the very fact that AT commands can be used in a similar way already suggests that the “holes” in the information security of modern devices are of a fundamental nature . One can’t help but ask for an analogy with Specter and Meltdown, the possibility of whose existence, as in the case of AT commands (the standard was developed back in the 70s), arose due to problems with the architecture and the path of technology development that was once chosen.
The research documentation can be found here. Also, the sources of undocumented commands are posted in a repository on GitHub .
